FDIC Examines Mobile Payment Risks

In a detailed paper on mobile payments published in the FDIC’s winter issue of “Supervisory Insights,” a group of agency executives explore in detail “the unique risks and supervisory issues raised by this technology.”

The FDIC’s point: amid the loud enthusiasm for these fast-emerging technologies, there has not been a comparable focus on the security issues the new generation mobile payments tools raise. The paper – authored by four FDIC executives – aims to address these concerns.

What it finds may be surprising: although the mobile payments formats may seem new, in most cases they fall under already well-established regulatory requirements.

For starters, the FDIC acknowledged that the mobile payments universe is immense and growing. “Consumers spent over $20 billion using a mobile browser or application during the year [2012],” the agency noted. It also observed that some one-third of mobile phone users in 2012 reported using a mobile device to make a purchase.

These numbers are “likely to grow as smartphone ownership increases and mobile payments platforms become more widespread,” wrote the FDIC team.

One FDIC prediction: “It is unlikely that any one technology will become dominant” and so the FDIC envisions continued battles amongst Near Field Communications (NFC), cloud-based payments schemes, and image-based schemes (barcode readers).

A key point, per the FDIC: the main mobile payments formats leverage off requirements that users provide bank account information or a prepaid card and thus “the risks associated with mobile payments should be familiar to financial institutions,” wrote the FDIC executives.

A particular challenge with regard to mobile payments, noted the FDIC, is that most schemes involve non-banks (technology companies or wireless carriers, for instance) and, importantly, most transactions also involve multiple players. Noted the FDIC: “Unlike most banking products that allow institutions to control much of the interaction, mobile payments require the coordinated and secure exchange of payment information among several unrelated entities.” A further complication, said the FDIC, is that many of the key players are “entrepreneurial companies” with little familiarity with security expectations for financial institutions.

Warned the FDIC: “Financial institutions should be particularly conscious of the potential and perceived risk of fraud in mobile payments.”

The FDIC observed that there are no federal laws or regulations that govern mobile payments. However, noted the FDIC, most payments piggyback on traditional formats (such as ACH or EFT) and “the laws and regulations that apply to that method also apply to the mobile payment.”